diff options
| -rw-r--r-- | src/include/ndpi_typedefs.h | 3 | ||||
| -rw-r--r-- | src/lib/protocols/quic.c | 18 | ||||
| -rw-r--r-- | tests/cfgs/default/pcap/quic_frags_different_dcid.pcapng | bin | 0 -> 4036 bytes | |||
| -rw-r--r-- | tests/cfgs/default/result/quic_frags_different_dcid.pcapng.out | 33 |
4 files changed, 52 insertions, 2 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 81bf258e2..91dd4cff0 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -919,6 +919,9 @@ struct ndpi_flow_udp_struct { u_int8_t *quic_reasm_buf; u_int8_t *quic_reasm_buf_bitmap; u_int32_t quic_reasm_buf_last_pos; + /* DCID of the first Initial sent by the client */ + u_int8_t quic_orig_dest_conn_id[20]; /* Max length is 20 on all QUIC versions */ + u_int8_t quic_orig_dest_conn_id_len; /* NDPI_PROTOCOL_RDP */ u_int8_t rdp_to_srv[3], rdp_from_srv[3], rdp_to_srv_pkts, rdp_from_srv_pkts; diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 0b8674f38..aafb365fe 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -980,6 +980,7 @@ static int quic_derive_initial_secrets(struct ndpi_detection_module_struct *ndpi static uint8_t *decrypt_initial_packet(struct ndpi_detection_module_struct *ndpi_struct, + const uint8_t *orig_dest_conn_id, uint8_t orig_dest_conn_id_len, const uint8_t *dest_conn_id, uint8_t dest_conn_id_len, uint8_t source_conn_id_len, uint32_t version, uint32_t *clear_payload_len) @@ -993,7 +994,7 @@ static uint8_t *decrypt_initial_packet(struct ndpi_detection_module_struct *ndpi uint8_t client_secret[HASH_SHA2_256_LENGTH]; memset(&ciphers, '\0', sizeof(ciphers)); - if(quic_derive_initial_secrets(ndpi_struct, version, dest_conn_id, dest_conn_id_len, + if(quic_derive_initial_secrets(ndpi_struct, version, orig_dest_conn_id, orig_dest_conn_id_len, client_secret) != 0) { NDPI_LOG_DBG(ndpi_struct, "Error quic_derive_initial_secrets\n"); return NULL; @@ -1320,6 +1321,7 @@ const uint8_t *get_crypto_data(struct ndpi_detection_module_struct *ndpi_struct, } static uint8_t *get_clear_payload(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, uint32_t version, uint32_t *clear_payload_len) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; @@ -1355,7 +1357,19 @@ static uint8_t *get_clear_payload(struct ndpi_detection_module_struct *ndpi_stru source_conn_id_len = packet->payload[6 + dest_conn_id_len]; const u_int8_t *dest_conn_id = &packet->payload[6]; + + /* For initializing the ciphers we need the DCID of the very first Initial + sent by the client. This is quite important when CH is fragmented into multiple + packets and these packets have different DCID */ + if(flow->l4.udp.quic_orig_dest_conn_id_len == 0) { + memcpy(flow->l4.udp.quic_orig_dest_conn_id, + dest_conn_id, dest_conn_id_len); + flow->l4.udp.quic_orig_dest_conn_id_len = dest_conn_id_len; + } + clear_payload = decrypt_initial_packet(ndpi_struct, + flow->l4.udp.quic_orig_dest_conn_id, + flow->l4.udp.quic_orig_dest_conn_id_len, dest_conn_id, dest_conn_id_len, source_conn_id_len, version, clear_payload_len); @@ -1943,7 +1957,7 @@ static void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct, /* * 4) Extract the Payload from Initial Packets */ - clear_payload = get_clear_payload(ndpi_struct, version, &clear_payload_len); + clear_payload = get_clear_payload(ndpi_struct, flow, version, &clear_payload_len); if(!clear_payload) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; diff --git a/tests/cfgs/default/pcap/quic_frags_different_dcid.pcapng b/tests/cfgs/default/pcap/quic_frags_different_dcid.pcapng Binary files differnew file mode 100644 index 000000000..c10e6d333 --- /dev/null +++ b/tests/cfgs/default/pcap/quic_frags_different_dcid.pcapng diff --git a/tests/cfgs/default/result/quic_frags_different_dcid.pcapng.out b/tests/cfgs/default/result/quic_frags_different_dcid.pcapng.out new file mode 100644 index 000000000..a20efaff1 --- /dev/null +++ b/tests/cfgs/default/result/quic_frags_different_dcid.pcapng.out @@ -0,0 +1,33 @@ +DPI Packets (UDP): 3 (3.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 1 (1.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 1/1 (search/found) +Automa domain: 1/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 1/1 (search/found) +Patricia risk mask: 2/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 1/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 2/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +Cloudflare 3 3826 1 + +Acceptable 3 3826 1 + +JA3 Host Stats: + IP Address # JA3C + 1 129.21.84.33 1 + + + 1 UDP 129.21.84.33:37229 <-> 73.185.34.172:443 [proto: 188.220/QUIC.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 3][cat: Media/1][2 pkts/2584 bytes <-> 1 pkts/1242 bytes][Goodput ratio: 97/97][0.26 sec][Hostname/SNI: cdnjs.cloudflare.com][(Advertised) ALPNs: h3][TLS Supported Versions: TLSv1.3][TLSv1.3][QUIC ver: V-1][JA3C: 77f2e7e7117b061992c6529845aa351c][JA4: q13d0311h][ECH: version 0xfe0d][PLAIN TEXT (27B@yd)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,66,0,0,0,0,0,0,0,0] |